timebasedcipher 3.0.0 → 3.0.2

package/README.md

@@ -1,208 +1,147 @@
 # timebasedcipher
 
-A lightweight, isomorphic (**Node + Browser**) library for **time-based rotating AES encryption** with optional **JWT-based key validation**.
+A lightweight, isomorphic (**Node.js 18+ and modern browsers**) library
+for **time-based rotating AES-256-GCM encryption with integrity
+validation**.
 
-Built with [`crypto-js`](https://www.npmjs.com/package/crypto-js), this package provides a simple interface to:
+This implementation uses the **Web Crypto API** and provides:
 
-- Generate **time-based rotating AES keys**
-- Encrypt and decrypt JavaScript objects or strings
-- Validate JWTs before key derivation (optional)
-- Works seamlessly in both **frontend** and **backend** environments
+- Time-based rotating AES-256 keys derived using HKDF-SHA256
+- Authenticated encryption using AES-256-GCM
+- Encrypted signature validation
+- Works in both Node.js (v18+) and modern browser environments
+- No external crypto dependencies
 
 ---
 
 ## Installation
 
 ```bash
-npm install timebasedcipher crypto-js
+npm install timebasedcipher
 # or
-yarn add timebasedcipher crypto-js
+yarn add timebasedcipher
 # or
-pnpm add timebasedcipher crypto-js
+pnpm add timebasedcipher
 ```
 
+Node.js 18+ is required for native Web Crypto support.
+
 ---
 
 ## Quick Start
 
 ```ts
-import { generateKey, encrypt, decrypt } from "timebasedcipher";
-
-const sharedSecret = "mySuperSecret";
-const intervalSeconds = 60; // key changes every 60 seconds
-
-// Step 1: Generate a rotating key
-const key = generateKey(sharedSecret, intervalSeconds);
-console.log("Generated Key:", key);
-
-// Step 2: Encrypt some data
-const data = { user: "Deb", role: "admin", timestamp: Date.now() };
-const cipher = encrypt(data, key);
-console.log("Encrypted:", cipher);
+import { encrypt, decrypt } from "timebasedcipher";
 
-// Step 3: Decrypt it
-const decrypted = decrypt(cipher, key);
-console.log("Decrypted:", decrypted);
-```
-
-Works in both **Node.js** and **browser** environments.
-
----
-
-## Function Reference
-
-### `generateKey(sharedSecretOrJwt: string, interval: number, isJwt?: boolean): string`
-
-Generates a **SHA-256 key** that rotates every `interval` seconds.
-When `isJwt` is set to `true`, the input is treated as a **JWT string** — its `exp` claim is validated before key derivation.
-
-| Parameter            | Type      | Description                                                                 |
-| -------------------- | --------- | --------------------------------------------------------------------------- |
-| `sharedSecretOrJwt`  | `string`  | A pre-shared secret or a JWT string when `isJwt = true`.                    |
-| `interval`           | `number`  | Time in seconds after which the key rotates.                                |
-| `isJwt` _(optional)_ | `boolean` | When `true`, validates JWT expiry and uses the raw JWT as the secret input. |
-
-**Returns:** `string` — a 64-character hex string (256-bit key).
-
-**Throws:**
+const secret = "mySuperSecret";
+const intervalSeconds = 60; // key rotates every 60 seconds
 
-- `Error("Invalid JWT: missing payload part")` — malformed token
-- `Error("JWT payload does not contain a valid 'exp' claim")`
-- `Error("JWT is expired")`
+const data = { user: "TestUser", role: "admin", timestamp: Date.now() };
 
-#### Example (with JWT validation)
+// Encrypt
+const cipher = await encrypt(data, secret, intervalSeconds);
 
-```ts
-const jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."; // your JWT
-const interval = 120;
+// Decrypt
+const decrypted = await decrypt(cipher, secret, intervalSeconds);
 
-const key = generateKey(jwt, interval, true); // validates exp claim
+console.log(decrypted);
 ```
 
 ---
 
-### `encrypt(data: any, encryptionKeyHex: string): string`
-
-Encrypts any serializable JavaScript object or string using **AES-256-CBC**.
+## API Reference
 
-| Parameter          | Type     | Description                                       |
-| ------------------ | -------- | ------------------------------------------------- |
-| `data`             | `any`    | The object or value to encrypt.                   |
-| `encryptionKeyHex` | `string` | 64-character hex string key (from `generateKey`). |
+### encrypt`<T>`{=html}(data: T, secret: string, intervalSeconds: number): Promise`<string>`{=html}
 
-**Returns:**
-A string in format:
-
-```
-cipherHex:ivHex
-```
+Encrypts JSON-serializable data using a time-rotating AES-256-GCM key.
 
 ---
 
-### `decrypt(cipherText: string, encryptionKeyHex: string): any`
-
-Decrypts ciphertext previously produced by `encrypt`.
+| Name              | Type     | Description                           |
+| ----------------- | -------- | ------------------------------------- |
+| `data`            | `any`    | JSON-serializable value               |
+| `secret`          | `string` | Shared secret used for key derivation |
+| `intervalSeconds` | `number` | Key rotation interval in seconds      |
 
-| Parameter          | Type     | Description                                             |
-| ------------------ | -------- | ------------------------------------------------------- |
-| `cipherText`       | `string` | Ciphertext in `"cipherHex:ivHex"` format.               |
-| `encryptionKeyHex` | `string` | 64-character hex string key (same key used to encrypt). |
-
-**Returns:**
-The decrypted JavaScript value (automatically parsed from JSON).
+---
 
-**Throws:**
+**Returns**
 
-- `Error("Invalid cipher format, expected cipherHex:ivHex")`
-- `Error("Decryption produced empty string")`
-- `Error("Unable to decrypt: no valid key found or invalid payload")`
+`Promise<string>` --- Ciphertext string.
 
 ---
 
-## ⚙️ How It Works
+### decrypt`<T>`{=html}(payload: string, secret: string, intervalSeconds: number): Promise`<T>`{=html}
 
-- The key **rotates** every defined interval (e.g., every 60 seconds)
+Decrypts and validates ciphertext produced by `encrypt`.
 
-- Derived using:
+---
 
-  ```
-  SHA256(`${secretInput}:${timeSlot}`)
-  ```
+| Name              | Type     | Description                               |
+| ----------------- | -------- | ----------------------------------------- |
+| `payload`         | `string` | Encrypted string (`sigCipher:iv:data:iv`) |
+| `secret`          | `string` | Same shared secret used during encryption |
+| `intervalSeconds` | `number` | Same rotation interval used during        |
 
-  where
-  `timeSlot = floor(Date.now() / (interval * 1000) + 1000)`
+---
 
-- AES encryption uses:
+**Returns**
 
-  - **AES-256-CBC**
-  - **PKCS#7 padding**
-  - **Random 16-byte IV**
+`Promise<T>` --- Decrypted JavaScript value.
 
-- Encrypted output format:
+**Throws**
 
-  ```
-  <cipherHex>:<ivHex>
-  ```
+- `Error("Invalid cipher format")`
+- `Error("Invalid signature")`
+- Decryption errors if authentication fails
 
-**Both ends** must:
+---
 
-- Use the **same secret** (or JWT)
-- Use the **same rotation interval**
-- Have **roughly synchronized clocks** (within ±1 interval)
+## Key Derivation
 
----
+Keys are derived using:
 
-## Handling Key Rotation Drift
+- HKDF with SHA-256
+- Salt = current time slot
+- Info = "time-based-encryption"
 
-If decryption fails due to slight clock drift, try nearby intervals:
+Time slot calculation:
 
-```ts
-const now = Date.now();
-const interval = 60;
-const secret = "mySuperSecret";
+    timeSlot = floor(Date.now() / (intervalSeconds * 1000))
 
-const currentKey = generateKey(secret, interval);
-const prevKey = generateKey(secret, interval); // simulate earlier slot
-const nextKey = generateKey(secret, interval); // simulate next slot
-
-try {
-  return decrypt(cipher, currentKey);
-} catch {
-  try {
-    return decrypt(cipher, prevKey);
-  } catch {
-    return decrypt(cipher, nextKey);
-  }
-}
-```
+A new encryption key is automatically derived for each time window.
 
 ---
 
-## Browser + Node Compatibility
+## Security Model
 
-| Environment     | Supported | Notes                                      |
-| --------------- | --------- | ------------------------------------------ |
-| Node.js         | ✅        | Uses `crypto-js`, no native crypto needed  |
-| React / Browser | ✅        | Fully supported                            |
-| Next.js         | ✅        | Works in both server and client components |
+- Uses AES-256-GCM (authenticated encryption)
+- Provides built-in integrity and tamper detection
+- Includes encrypted signature validation
+- No manual HMAC required (GCM provides authentication)
+- Requires loosely synchronized clocks between encrypting and
+  decrypting systems
 
 ---
 
-## Security Notes
+## Environment Support
 
-- AES-256-CBC provides **confidentiality**, not integrity — consider adding an **HMAC** if you need tamper detection.
-- Avoid embedding secrets in frontend code — end users can access them.
-- JWT mode only validates the `exp` claim.
+| Name              | Supported |
+| ----------------- | --------- |
+| `Node.js 18+`     | Yes       |
+| `Modern Browsers` | Yes       |
+| `React / Next.js` | Yes       |
 
 ---
 
 ## Requirements
 
-- Node.js ≥ 14 or any modern browser
-- `crypto-js` dependency (installed automatically)
+- Node.js 18+ or modern browser with Web Crypto API
+- No external cryptography libraries required
 
 ---
 
 ## License
 
-MIT License © 2025 [Deb Kalyan Mohanty](https://github.com/debkalyanmohanty)
+MIT License © 2026\
+[Deb Kalyan Mohanty](https://github.com/debkalyanmohanty)

package/dist/index.d.ts

@@ -1,62 +1,30 @@
 /**
- * Generate a time-based rotating key (SHA256 hash of sharedSecret + current interval).
+ * Time-Based Cipher with Encrypted Signature
  *
- * The key is derived from:
- *   SHA256(`${secretInput}:${timeSlot}`)
- * where:
- *   timeSlot = floor(Date.now() / (interval * 1000) + 1000)
+ * Format:
+ *   sigCipherHex:sigIvHex:dataCipherHex:dataIvHex
  *
- * When `isJwt` is true:
- *   - `sharedSecretOrJwt` is treated as a JWT string
- *   - The JWT payload is decoded
- *   - The `exp` claim (if present) is checked against current time
- *   - If the JWT is expired, an error is thrown and no key is generated
- *   - The *raw JWT string* is still used as the secret input for key derivation
- *
- * @param sharedSecretOrJwt - A pre-shared secret string, or a JWT when `isJwt` is true.
- * @param interval - The rotation interval in seconds. The timeSlot calculation
- *                   is based on this value, so both sides must use the same interval.
- * @param isJwt - Optional flag (default: false). When true, `sharedSecretOrJwt` is
- *                treated as a JWT and its `exp` is validated before deriving the key.
- * @returns A 64-character hexadecimal SHA-256 hash string to be used as an AES-256 key.
- * @throws If `isJwt` is true and the JWT is malformed or expired.
+ * Requirements:
+ *   - Node.js 18+
+ *   - Modern browsers
  */
-export declare const generateKey: (sharedSecretOrJwt: string, interval: number, isJwt?: boolean) => string;
 /**
- * Encrypt an arbitrary JavaScript value using AES-256-CBC with a random IV.
+ * Encrypt JSON data with encrypted signature.
  *
- * The function:
- *   - JSON stringifies the input `data`
- *   - Uses the provided hex-encoded key as AES-256 key material
- *   - Generates a random 16-byte IV
- *   - Encrypts using AES-256-CBC
- *   - Returns a concatenated string in the format: "cipherHex:ivHex"
+ * @param data - JSON-serializable data.
+ * @param secret - Shared secret.
+ * @param intervalSeconds - Rotation interval in seconds.
  *
- * @param data - Any serializable JavaScript value (e.g. object, array, string) to encrypt.
- * @param encryptionKeyHex - A 64-character hex string representing a 32-byte key
- *                           (typically the output of {@link generateKey}).
- * @returns A string in the format `"cipherHex:ivHex"` where both parts are hex-encoded.
- * @throws If encryption fails or JSON serialization fails.
+ * @returns Promise resolving to ciphertext string.
  */
-export declare const encrypt: (data: any, encryptionKeyHex: string) => string;
+export declare function encrypt<T>(data: T, secret: string, intervalSeconds: number): Promise<string>;
 /**
- * Decrypt an AES-256-CBC ciphertext string produced by {@link encrypt}.
- *
- * The function expects the input to be in the format:
- *   "cipherHex:ivHex"
- * where:
- *   - cipherHex is the hex-encoded ciphertext
- *   - ivHex is the hex-encoded 16-byte IV
+ * Decrypt ciphertext with encrypted signature validation.
  *
- * It will:
- *   - Split and parse the hex components
- *   - Decrypt using AES-256-CBC with the provided key
- *   - Parse the resulting UTF-8 JSON back into the original JavaScript value
+ * @param payload - Ciphertext string.
+ * @param secret - Shared secret.
+ * @param intervalSeconds - Rotation interval.
  *
- * @param cipherText - The ciphertext string in the format `"cipherHex:ivHex"`.
- * @param encryptionKeyHex - A 64-character hex string representing a 32-byte key
- *                           (must match the key used for encryption).
- * @returns The decrypted JavaScript value (e.g. object, array, string).
- * @throws If the format is invalid, decryption fails, or the decrypted output is empty/invalid JSON.
+ * @returns Promise resolving to decrypted data.
  */
-export declare const decrypt: (cipherText: string, encryptionKeyHex: string) => unknown;
+export declare function decrypt<T>(payload: string, secret: string, intervalSeconds: number): Promise<T>;

package/dist/index.js

@@ -1,154 +1,122 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.decrypt = exports.encrypt = exports.generateKey = void 0;
-const crypto_js_1 = __importDefault(require("crypto-js"));
 /**
- * Decode the payload of a JWT without verifying its signature.
- * Used only to read the `exp` claim (in seconds since epoch).
+ * Time-Based Cipher with Encrypted Signature
+ *
+ * Format:
+ *   sigCipherHex:sigIvHex:dataCipherHex:dataIvHex
  *
- * @param token - The JWT string (header.payload.signature)
- * @returns Parsed payload object.
- * @throws If the token is malformed or payload is not valid JSON.
+ * Requirements:
+ *   - Node.js 18+
+ *   - Modern browsers
  */
-const decodeJwtPayload = (token) => {
-    const parts = token.split(".");
-    if (parts.length < 2) {
-        throw new Error("Invalid JWT: missing payload part");
-    }
-    const base64Url = parts[1];
-    const base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
-    // Use CryptoJS to decode base64 → UTF-8
-    const wordArray = crypto_js_1.default.enc.Base64.parse(base64);
-    const json = wordArray.toString(crypto_js_1.default.enc.Utf8);
-    try {
-        return JSON.parse(json);
-    }
-    catch {
-        throw new Error("Invalid JWT payload JSON");
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+const cryptoObj = (() => {
+    if (typeof globalThis !== "undefined" && globalThis.crypto) {
+        return globalThis.crypto;
     }
-};
+    throw new Error("Web Crypto API not available. Requires Node 18+ or modern browser.");
+})();
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
 /**
- * Generate a time-based rotating key (SHA256 hash of sharedSecret + current interval).
- *
- * The key is derived from:
- *   SHA256(`${secretInput}:${timeSlot}`)
- * where:
- *   timeSlot = floor(Date.now() / (interval * 1000) + 1000)
- *
- * When `isJwt` is true:
- *   - `sharedSecretOrJwt` is treated as a JWT string
- *   - The JWT payload is decoded
- *   - The `exp` claim (if present) is checked against current time
- *   - If the JWT is expired, an error is thrown and no key is generated
- *   - The *raw JWT string* is still used as the secret input for key derivation
- *
- * @param sharedSecretOrJwt - A pre-shared secret string, or a JWT when `isJwt` is true.
- * @param interval - The rotation interval in seconds. The timeSlot calculation
- *                   is based on this value, so both sides must use the same interval.
- * @param isJwt - Optional flag (default: false). When true, `sharedSecretOrJwt` is
- *                treated as a JWT and its `exp` is validated before deriving the key.
- * @returns A 64-character hexadecimal SHA-256 hash string to be used as an AES-256 key.
- * @throws If `isJwt` is true and the JWT is malformed or expired.
+ * Convert ArrayBuffer to hex string.
+ */
+function toHex(buffer) {
+    return Array.from(new Uint8Array(buffer))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+/**
+ * Convert hex string to ArrayBuffer.
  */
-const generateKey = (sharedSecretOrJwt, interval, isJwt = false) => {
-    let secretInput = sharedSecretOrJwt;
-    if (isJwt) {
-        const payload = decodeJwtPayload(sharedSecretOrJwt);
-        if (typeof payload.exp !== "number") {
-            throw new Error("JWT payload does not contain a valid 'exp' claim");
-        }
-        const nowSeconds = Math.floor(Date.now() / 1000);
-        if (payload.exp <= nowSeconds) {
-            throw new Error("JWT is expired");
-        }
+function hexToBuffer(hex) {
+    if (!/^[0-9a-fA-F]+$/.test(hex) || hex.length % 2 !== 0) {
+        throw new Error("Invalid hex string");
     }
-    const timeSlot = Math.floor(Date.now() / (interval * 1000) + 1000);
-    const input = `${secretInput}:${timeSlot}`;
-    // SHA-256 → hex string
-    return crypto_js_1.default.SHA256(input).toString(crypto_js_1.default.enc.Hex);
-};
-exports.generateKey = generateKey;
+    const bytes = new Uint8Array(hex.match(/.{1,2}/g).map((b) => parseInt(b, 16)));
+    return bytes.buffer;
+}
 /**
- * Encrypt an arbitrary JavaScript value using AES-256-CBC with a random IV.
+ * Derive AES-256-GCM key using HKDF-SHA256.
+ */
+async function deriveKey(secret, intervalSeconds) {
+    if (!secret)
+        throw new Error("Secret must not be empty");
+    if (intervalSeconds <= 0)
+        throw new Error("intervalSeconds must be positive");
+    const now = Date.now() - 1000;
+    const timeSlot = Math.floor(now / (intervalSeconds * 1000));
+    const baseKey = await cryptoObj.subtle.importKey("raw", encoder.encode(secret).buffer, { name: "HKDF" }, false, ["deriveKey"]);
+    return cryptoObj.subtle.deriveKey({
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: encoder.encode(String(timeSlot)).buffer,
+        info: encoder.encode("time-based-encryption").buffer,
+    }, baseKey, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+}
+/**
+ * Encrypt raw ArrayBuffer with AES-GCM.
+ */
+async function aesEncrypt(key, data) {
+    const ivBytes = cryptoObj.getRandomValues(new Uint8Array(12));
+    const iv = ivBytes.buffer;
+    const cipher = await cryptoObj.subtle.encrypt({ name: "AES-GCM", iv }, key, data);
+    return { cipher, iv };
+}
+/**
+ * Decrypt raw ArrayBuffer with AES-GCM.
+ */
+async function aesDecrypt(key, cipher, iv) {
+    return cryptoObj.subtle.decrypt({ name: "AES-GCM", iv }, key, cipher);
+}
+/**
+ * Encrypt JSON data with encrypted signature.
  *
- * The function:
- *   - JSON stringifies the input `data`
- *   - Uses the provided hex-encoded key as AES-256 key material
- *   - Generates a random 16-byte IV
- *   - Encrypts using AES-256-CBC
- *   - Returns a concatenated string in the format: "cipherHex:ivHex"
+ * @param data - JSON-serializable data.
+ * @param secret - Shared secret.
+ * @param intervalSeconds - Rotation interval in seconds.
  *
- * @param data - Any serializable JavaScript value (e.g. object, array, string) to encrypt.
- * @param encryptionKeyHex - A 64-character hex string representing a 32-byte key
- *                           (typically the output of {@link generateKey}).
- * @returns A string in the format `"cipherHex:ivHex"` where both parts are hex-encoded.
- * @throws If encryption fails or JSON serialization fails.
+ * @returns Promise resolving to ciphertext string.
  */
-const encrypt = (data, encryptionKeyHex) => {
-    const json = JSON.stringify(data);
-    try {
-        // key and IV as WordArray
-        const key = crypto_js_1.default.enc.Hex.parse(encryptionKeyHex); // 32 bytes
-        const iv = crypto_js_1.default.lib.WordArray.random(16); // 16 bytes
-        const encrypted = crypto_js_1.default.AES.encrypt(json, key, { iv });
-        const cipherHex = encrypted.ciphertext.toString(crypto_js_1.default.enc.Hex);
-        const ivHex = iv.toString(crypto_js_1.default.enc.Hex);
-        return `${cipherHex}:${ivHex}`;
-    }
-    catch (err) {
-        // eslint-disable-next-line no-console
-        console.error("Error in encrypt:", err);
-        throw err;
-    }
-};
-exports.encrypt = encrypt;
+async function encrypt(data, secret, intervalSeconds) {
+    const key = await deriveKey(secret, intervalSeconds);
+    // Signature payload (can be customized)
+    const signaturePayload = encoder.encode("signature-v1").buffer;
+    const sigEncrypted = await aesEncrypt(key, signaturePayload);
+    const dataBuffer = encoder.encode(JSON.stringify(data)).buffer;
+    const dataEncrypted = await aesEncrypt(key, dataBuffer);
+    return [
+        toHex(sigEncrypted.cipher),
+        toHex(sigEncrypted.iv),
+        toHex(dataEncrypted.cipher),
+        toHex(dataEncrypted.iv),
+    ].join(":");
+}
 /**
- * Decrypt an AES-256-CBC ciphertext string produced by {@link encrypt}.
+ * Decrypt ciphertext with encrypted signature validation.
  *
- * The function expects the input to be in the format:
- *   "cipherHex:ivHex"
- * where:
- *   - cipherHex is the hex-encoded ciphertext
- *   - ivHex is the hex-encoded 16-byte IV
+ * @param payload - Ciphertext string.
+ * @param secret - Shared secret.
+ * @param intervalSeconds - Rotation interval.
  *
- * It will:
- *   - Split and parse the hex components
- *   - Decrypt using AES-256-CBC with the provided key
- *   - Parse the resulting UTF-8 JSON back into the original JavaScript value
- *
- * @param cipherText - The ciphertext string in the format `"cipherHex:ivHex"`.
- * @param encryptionKeyHex - A 64-character hex string representing a 32-byte key
- *                           (must match the key used for encryption).
- * @returns The decrypted JavaScript value (e.g. object, array, string).
- * @throws If the format is invalid, decryption fails, or the decrypted output is empty/invalid JSON.
+ * @returns Promise resolving to decrypted data.
  */
-const decrypt = (cipherText, encryptionKeyHex) => {
-    const [encryptedHex, ivHex] = cipherText.split(":");
-    if (!ivHex || !encryptedHex) {
-        throw new Error("Invalid cipher format, expected cipherHex:ivHex");
-    }
-    const key = crypto_js_1.default.enc.Hex.parse(encryptionKeyHex);
-    const iv = crypto_js_1.default.enc.Hex.parse(ivHex);
-    const ciphertext = crypto_js_1.default.enc.Hex.parse(encryptedHex);
-    // Proper CipherParams object
-    const cipherParams = crypto_js_1.default.lib.CipherParams.create({
-        ciphertext,
-    });
-    try {
-        const decrypted = crypto_js_1.default.AES.decrypt(cipherParams, key, { iv });
-        const utf8 = decrypted.toString(crypto_js_1.default.enc.Utf8);
-        if (!utf8) {
-            throw new Error("Decryption produced empty string");
-        }
-        return JSON.parse(utf8);
+async function decrypt(payload, secret, intervalSeconds) {
+    const parts = payload.split(":");
+    if (parts.length !== 4) {
+        throw new Error("Invalid cipher format");
     }
-    catch (err) {
-        // eslint-disable-next-line no-console
-        console.error("Error decrypting with current key:", err);
-        throw new Error("Unable to decrypt: no valid key found or invalid payload");
+    const [sigCipherHex, sigIvHex, dataCipherHex, dataIvHex,] = parts;
+    const key = await deriveKey(secret, intervalSeconds);
+    // Decrypt signature
+    const sigPlain = await aesDecrypt(key, hexToBuffer(sigCipherHex), hexToBuffer(sigIvHex));
+    const sigText = decoder.decode(sigPlain);
+    if (sigText !== "signature-v1") {
+        throw new Error("Invalid signature");
     }
-};
-exports.decrypt = decrypt;
+    // Decrypt actual data
+    const dataPlain = await aesDecrypt(key, hexToBuffer(dataCipherHex), hexToBuffer(dataIvHex));
+    return JSON.parse(decoder.decode(dataPlain));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "timebasedcipher",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "Time-based key generation and AES encryption/decryption SDK",
   "main": "dist/index.js",
   "module": "dist/index.js",